mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove more unused APIs (#3537)

Browse Source 
* Remove more unused APIs

* prettier

* Fix Test

* Fix tests

* Remove SSO Integreation

* fix tests

* lint
This commit is contained in:
Daniel Valdivia
2025-05-14 15:41:50 -07:00
committed by GitHub
parent e2bbf91e8a
commit 3dc0fdc039
50 changed files with 74 additions and 4337 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
pkg/auth/idp/oauth2/config.go
View File

@@ -24,7 +24,6 @@ import (
"net/http"
"strings"
"github.com/minio/console/pkg/auth/token"
"github.com/minio/minio-go/v7/pkg/set"
"github.com/minio/pkg/v3/env"
"golang.org/x/crypto/pbkdf2"
@@ -135,49 +134,3 @@ type OpenIDPCfg map[string]ProviderConfig
func GetSTSEndpoint() string {
return strings.TrimSpace(env.Get(ConsoleMinIOServer, "http://localhost:9000"))
}
func GetIDPURL() string {
return env.Get(ConsoleIDPURL, "")
}
func GetIDPClientID() string {
return env.Get(ConsoleIDPClientID, "")
}
func GetIDPUserInfo() bool {
return env.Get(ConsoleIDPUserInfo, "") == "on"
}
func GetIDPSecret() string {
return env.Get(ConsoleIDPSecret, "")
}
// Public endpoint used by the identity oidcProvider when redirecting
// the user after identity verification
func GetIDPCallbackURL() string {
return env.Get(ConsoleIDPCallbackURL, "")
}
func GetIDPCallbackURLDynamic() bool {
return env.Get(ConsoleIDPCallbackURLDynamic, "") == "on"
}
func IsIDPEnabled() bool {
return GetIDPURL() != "" &&
GetIDPClientID() != ""
}
// GetPassphraseForIDPHmac returns passphrase for the pbkdf2 function used to sign the oauth2 state parameter
func getPassphraseForIDPHmac() string {
return env.Get(ConsoleIDPHmacPassphrase, token.GetPBKDFPassphrase())
}
// GetSaltForIDPHmac returns salt for the pbkdf2 function used to sign the oauth2 state parameter
func getSaltForIDPHmac() string {
return env.Get(ConsoleIDPHmacSalt, token.GetPBKDFSalt())
}
// getIDPScopes return default scopes during the IDP login request
func getIDPScopes() string {
return env.Get(ConsoleIDPScopes, "openid,profile,email")
}

12
pkg/auth/idp/oauth2/const.go
View File

@@ -18,15 +18,5 @@ package oauth2
// Environment constants for console IDP/SSO configuration
const (
ConsoleMinIOServer = "CONSOLE_MINIO_SERVER"
ConsoleIDPURL = "CONSOLE_IDP_URL"
ConsoleIDPClientID = "CONSOLE_IDP_CLIENT_ID"
ConsoleIDPSecret = "CONSOLE_IDP_SECRET"
ConsoleIDPCallbackURL = "CONSOLE_IDP_CALLBACK"
ConsoleIDPCallbackURLDynamic = "CONSOLE_IDP_CALLBACK_DYNAMIC"
ConsoleIDPHmacPassphrase = "CONSOLE_IDP_HMAC_PASSPHRASE"
ConsoleIDPHmacSalt = "CONSOLE_IDP_HMAC_SALT"
ConsoleIDPScopes = "CONSOLE_IDP_SCOPES"
ConsoleIDPUserInfo = "CONSOLE_IDP_USERINFO"
ConsoleIDPTokenExpiration = "CONSOLE_IDP_TOKEN_EXPIRATION"
ConsoleMinIOServer = "CONSOLE_MINIO_SERVER"
)

70
pkg/auth/idp/oauth2/provider.go
View File

@@ -18,7 +18,6 @@ package oauth2
import (
"context"
"crypto/sha1"
"encoding/base64"
"encoding/json"
"errors"
@@ -33,7 +32,6 @@ import (
"github.com/minio/minio-go/v7/pkg/credentials"
"github.com/minio/minio-go/v7/pkg/set"
"github.com/minio/pkg/v3/env"
"golang.org/x/crypto/pbkdf2"
"golang.org/x/oauth2"
xoauth2 "golang.org/x/oauth2"
)
@@ -115,12 +113,6 @@ type Provider struct {
client *http.Client
}
// DefaultDerivedKey is the key used to compute the HMAC for signing the oauth state parameter
// its derived using pbkdf on CONSOLE_IDP_HMAC_PASSPHRASE with CONSOLE_IDP_HMAC_SALT
var DefaultDerivedKey = func() []byte {
return pbkdf2.Key([]byte(getPassphraseForIDPHmac()), []byte(getSaltForIDPHmac()), 4096, 32, sha1.New)
}
const (
schemeHTTP = "http"
schemeHTTPS = "https"
@@ -146,68 +138,6 @@ func getLoginCallbackURL(r *http.Request) string {
var requiredResponseTypes = set.CreateStringSet("code")
// NewOauth2ProviderClient instantiates a new oauth2 client using the configured credentials
// it returns a *Provider object that contains the necessary configuration to initiate an
// oauth2 authentication flow.
//
// We only support Authentication with the Authorization Code Flow - spec:
// https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.Client) (*Provider, error) {
ddoc, err := parseDiscoveryDoc(r.Context(), GetIDPURL(), httpClient)
if err != nil {
return nil, err
}
supportedResponseTypes := set.NewStringSet()
for _, responseType := range ddoc.ResponseTypesSupported {
// FIXME: ResponseTypesSupported is a JSON array of strings - it
// may not actually have strings with spaces inside them -
// making the following code unnecessary.
for _, s := range strings.Fields(responseType) {
supportedResponseTypes.Add(s)
}
}
isSupported := requiredResponseTypes.Difference(supportedResponseTypes).IsEmpty()
if !isSupported {
return nil, fmt.Errorf("expected 'code' response type - got %s, login not allowed", ddoc.ResponseTypesSupported)
}
// If provided scopes are empty we use a default list or the user configured list
if len(scopes) == 0 {
scopes = strings.Split(getIDPScopes(), ",")
}
redirectURL := GetIDPCallbackURL()
if GetIDPCallbackURLDynamic() {
// dynamic redirect if set, will generate redirect URLs
// dynamically based on incoming requests.
redirectURL = getLoginCallbackURL(r)
}
// add "openid" scope always.
scopes = append(scopes, "openid")
client := new(Provider)
client.oauth2Config = &xoauth2.Config{
ClientID: GetIDPClientID(),
ClientSecret: GetIDPSecret(),
RedirectURL: redirectURL,
Endpoint: oauth2.Endpoint{
AuthURL: ddoc.AuthEndpoint,
TokenURL: ddoc.TokenEndpoint,
},
Scopes: scopes,
}
client.IDPName = GetIDPClientID()
client.UserInfo = GetIDPUserInfo()
client.client = httpClient
return client, nil
}
var defaultScopes = []string{"openid", "profile", "email"}
// NewOauth2ProviderClientByName returns a provider if present specified by the input name of the provider.

71
pkg/auth/idp/oauth2/provider_test.go
View File

@@ -1,71 +0,0 @@
// This file is part of MinIO Console Server
// Copyright (c) 2021 MinIO, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package oauth2
import (
"context"
"net/http"
"testing"
"github.com/stretchr/testify/assert"
"golang.org/x/oauth2"
)
type Oauth2configMock struct{}
var (
oauth2ConfigExchangeMock func(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
oauth2ConfigAuthCodeURLMock func(state string, opts ...oauth2.AuthCodeOption) string
oauth2ConfigPasswordCredentialsTokenMock func(ctx context.Context, username, password string) (*oauth2.Token, error)
oauth2ConfigClientMock func(ctx context.Context, t *oauth2.Token) *http.Client
oauth2ConfigokenSourceMock func(ctx context.Context, t *oauth2.Token) oauth2.TokenSource
)
func (ac Oauth2configMock) Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
return oauth2ConfigExchangeMock(ctx, code, opts...)
}
func (ac Oauth2configMock) AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string {
return oauth2ConfigAuthCodeURLMock(state, opts...)
}
func (ac Oauth2configMock) PasswordCredentialsToken(ctx context.Context, username, password string) (*oauth2.Token, error) {
return oauth2ConfigPasswordCredentialsTokenMock(ctx, username, password)
}
func (ac Oauth2configMock) Client(ctx context.Context, t *oauth2.Token) *http.Client {
return oauth2ConfigClientMock(ctx, t)
}
func (ac Oauth2configMock) TokenSource(ctx context.Context, t *oauth2.Token) oauth2.TokenSource {
return oauth2ConfigokenSourceMock(ctx, t)
}
func TestGenerateLoginURL(t *testing.T) {
funcAssert := assert.New(t)
oauth2Provider := Provider{
oauth2Config: Oauth2configMock{},
}
// Test-1 : GenerateLoginURL() generates URL correctly with provided state
oauth2ConfigAuthCodeURLMock = func(state string, _ ...oauth2.AuthCodeOption) string {
// Internally we are testing the private method getRandomStateWithHMAC, this function should always returns
// a non-empty string
return state
}
url := oauth2Provider.GenerateLoginURL(DefaultDerivedKey, "testIDP")
funcAssert.NotEqual("", url)
}

15
pkg/auth/ldap.go
View File

@@ -16,20 +16,5 @@
package auth
import (
"net/http"
"github.com/minio/minio-go/v7/pkg/credentials"
)
// GetCredentialsFromLDAP authenticates the user against MinIO when the LDAP integration is enabled
// if the authentication succeed *credentials.Login object is returned and we continue with the normal STSAssumeRole flow
func GetCredentialsFromLDAP(client *http.Client, endpoint, ldapUser, ldapPassword string) (*credentials.Credentials, error) {
creds := credentials.New(&credentials.LDAPIdentity{
Client: client,
STSEndpoint: endpoint,
LDAPUsername: ldapUser,
LDAPPassword: ldapPassword,
})
return creds, nil
}

27
pkg/auth/ldap/config.go
View File

@@ -1,27 +0,0 @@
// This file is part of MinIO Console Server
// Copyright (c) 2021 MinIO, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package ldap
import (
"strings"
"github.com/minio/pkg/v3/env"
)
func GetLDAPEnabled() bool {
return strings.ToLower(env.Get(ConsoleLDAPEnabled, "off")) == "on"
}

22
pkg/auth/ldap/const.go
View File

@@ -1,22 +0,0 @@
// This file is part of MinIO Console Server
// Copyright (c) 2021 MinIO, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package ldap
const (
// const for ldap configuration
ConsoleLDAPEnabled = "CONSOLE_LDAP_ENABLED"
)

7
pkg/certs/certs.go
View File

@@ -316,10 +316,3 @@ func GetAllCertificatesAndCAs() (*x509.CertPool, []*x509.Certificate, *xcerts.Ma
}
// EnsureCertAndKey checks if both client certificate and key paths are provided
func EnsureCertAndKey(clientCert, clientKey string) error {
if (clientCert != "" && clientKey == "") ||
(clientCert == "" && clientKey != "") {
return errors.New("cert and key must be specified as a pair")
}
return nil
}

18
pkg/kes/kes.go
View File

@@ -17,9 +17,6 @@
package kes
import (
"crypto/x509"
"encoding/pem"
"errors"
"time"
"github.com/minio/kes"
@@ -179,18 +176,3 @@ type ServerConfig struct {
Log Log `yaml:"log,omitempty" json:"log,omitempty"`
Keys Keys `yaml:"keys,omitempty" json:"keys,omitempty"`
}
func ParseCertificate(cert []byte) (*x509.Certificate, error) {
for {
var certDERBlock *pem.Block
certDERBlock, cert = pem.Decode(cert)
if certDERBlock == nil {
break
}
if certDERBlock.Type == "CERTIFICATE" {
return x509.ParseCertificate(certDERBlock.Bytes)
}
}
return nil, errors.New("found no (non-CA) certificate in any PEM block")
}